tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/rkpd_app.te
Alice Wang e79bbf9cf8 Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" 
Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK

Reason for revert: Relands the original topic:
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22

Changes from the reverted cl aosp/2812455:
 - The AIDL service type has been renamed from avf_* to hal_* to be
   consistent with the others.

 - The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service,
   for the IRPC/avf service, has been set up with the server/client model
   for AIDL Hal. The virtualizationservice is declared as server and
   RKPD is declared as client to access the service instead of raw
   service permission setup as in the reverted cl. This is aligned
   with the AIDL Hal configuration recommendation.

 - Since the existing type for IRPC hal_remotelyprovisionedcomponent is
   already associated with keymint server/client and has specific
   permission requirements, and some of the keymint clients might not
   need the AVF Hal. We decided to create a new AIDL service type
   instead of reusing the exisiting keymint service type.

Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK

Bug: 312427637
Bug: 310744536
Bug: 299257581
Test: atest MicrodroidHostTests librkp_support_test
Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad
2023-11-22 08:21:27 +00:00

27 lines
947 B
Text
Raw Blame History

###
### A domain for sandboxing the remote key provisioning daemon
### app that is shipped via mainline.
###
typeattribute rkpdapp coredomain;
app_domain(rkpdapp)
net_domain(rkpdapp)
# RKPD needs to be able to call the remote provisioning HALs
hal_client_domain(rkpdapp, hal_keymint)
hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
set_prop(rkpdapp, remote_prov_prop)
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
# Grant access to media.metrics service, needed for widevine. This
# access is granted to all other apps already (e.g. untrusted_app_all).
allow rkpdapp mediametrics_service:service_manager find;
# Grant access to statsd
allow rkpdapp statsmanager_service:service_manager find;
binder_call(rkpdapp, statsd)
Reference in a new issue View git blame Copy permalink